We considered to implement this feature in OX some years ago, but it was never implemented
OpenXava supports roles based access control by means of JSR-250 annotations.
The access control is managed through JSR-250 annotations which are applied to entities, properties and methods. Access to actions is identically controlled with JSR-250 annotations directly declared in the action class. Access control annotations are not inherited, which could lead to unwanted security holes.
@DeclareRoles is applied to entities, calculators and actions. It is used to register roles.
@RolesAllowed is used to apply effectively the access control. It must be used in entities (class and methods) and actions (only class).
We must here be careful with references. A referenced entity that does not allow some role should not be displayed in a subview called from this role.
@RunAs, @PermitAll and @DenyAll annotations should be processed as well.
Impacts
Following impacts should be evaluated :
The process of execution of properties actions should control the annotations and check the user roles
The display of controllers should hide (or at least deactivate) the actions that are not accessible.
Rendering of views should process the same check, and eventually hide parts of views and subviews.
Role management
User. A traditional JPA Entity (annotated POJO) with common attributes. A user is a single identified person allowed to access to the system or part of it. The user inherits the roles of the groups it belongs to.
Group. A traditional JPA Entity (annotated POJO) with common attributes. A group may be understood as user profile or a way to group users with common activities in the system.
Role. A role is the description of a set of permissions to access whole or part of the system.
RoleRegistry. The role registry exposes all the roles declared in the business components and controllers defined in OpenXava. The registry is filled with the parsed annotations declared in the business components for data access control.
The user should have the possibility to manage users and groups from a standard OpenXava UI.
Roles based security (JSR-250) NOT IMPLEMENTED
We considered to implement this feature in OX some years ago, but it was never implementedOpenXava supports roles based access control by means of JSR-250 annotations.
The access control is managed through JSR-250 annotations which are applied to entities, properties and methods. Access to actions is identically controlled with JSR-250 annotations directly declared in the action class. Access control annotations are not inherited, which could lead to unwanted security holes.
@DeclareRoles is applied to entities, calculators and actions. It is used to register roles.
@RolesAllowed is used to apply effectively the access control. It must be used in entities (class and methods) and actions (only class).
We must here be careful with references. A referenced entity that does not allow some role should not be displayed in a subview called from this role.
@RunAs, @PermitAll and @DenyAll annotations should be processed as well.
Impacts
Following impacts should be evaluated :
Role management
User. A traditional JPA Entity (annotated POJO) with common attributes. A user is a single identified person allowed to access to the system or part of it. The user inherits the roles of the groups it belongs to.
Group. A traditional JPA Entity (annotated POJO) with common attributes. A group may be understood as user profile or a way to group users with common activities in the system.
Role. A role is the description of a set of permissions to access whole or part of the system.
RoleRegistry. The role registry exposes all the roles declared in the business components and controllers defined in OpenXava. The registry is filled with the parsed annotations declared in the business components for data access control.
The user should have the possibility to manage users and groups from a standard OpenXava UI.